CVE-2022-39339
Last modified
CVE-2022-39339 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. EPSS estimates a 0.42% chance of exploitation in the next 30 days.
Description
user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Openid Connect User Backend | < 1.2.1 |
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhgPatch, Third Party Advisory
- https://github.com/nextcloud/user_oidc/pull/495Patch, Third Party Advisory
- https://hackerone.com/reports/1687005Permissions Required, Third Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhgPatch, Third Party Advisory
- https://github.com/nextcloud/user_oidc/pull/495Patch, Third Party Advisory
- https://hackerone.com/reports/1687005Permissions Required, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-39339?
How severe is CVE-2022-39339?
How do I fix CVE-2022-39339?
Are you affected by CVE-2022-39339?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST